The days of your inbox bursting at its digital seams with Viagra pitches and the sob stories of Nigerian princesses are long gone – but that doesn’t mean the scams are gone. They’ve just migrated to find fresh victims on Twitter.
That, at least, is the conclusion of a paper just presented at the 22nd USENIX Security Symposium in Washington, D.C. A team of researchers—including Vern Paxson and Chris Grier from UC Berkeley’s International Computer Science Institute—spent almost a year investigating 27 purveyors of fraudulent social media accounts. These shadowy illicit-information dealers aggregate fake Twitter accounts and sell them to spammers and phishers around the world, who in turn use them to defraud credulous Twitter users.
“What we found is that spam on Twitter was five times more successful (from the scammers’ point of view) than email spam,” Grier tells us. “In terms of running a con, email spam now has low value. The filters are too good, and people have a strong sense of what a phony email query looks like. But relatively speaking, Twitter users are still somewhat naive about social media spam. Plus, the Twitter format can make it difficult to tell what’s spam and what isn’t.”
At least 3 percent of active Twitter accounts are estimated to be fraudulent.
Scammers and phishers often “buy” fake Twitter accounts from merchants who specialize in creating accounts that evade the various roadblacks Twitter throws up to thwart them. One example of such a roadblock is a CAPTCHA—those distorted number-letter combinations a computer sometimes asks you to identify to prove you’re human.
“The complexities required to circumvent registration barriers such as CAPTCHAs, email conﬁrmation, and IP blacklists have lead to the emergence of an underground market that specializes in selling fraudulent accounts in bulk,” the study notes. “Account merchants operating in this space brazenly advertise: a simple search query for ‘buy twitter accounts’ yields a multitude of offers for fraudulent Twitter credentials with prices ranging from $10–200 per thousand. Once purchased, accounts serve as stepping stones to more proﬁtable spam enterprises that degrade the quality of web services, such as pharmaceutical spam or fake anti-virus campaigns.”
The researchers also note that the underhanded merchants provide scammers with fraudulent accounts linked to a diverse pool of IP addresses—numerical labels that identify each computer or other user device in a network—to try to keep Twitter from blacklisting fraudulent accounts. “Our analysis leads us to believe that account merchants either own or rent access to thousands of compromised hosts to evade IP defenses,” the study reports.
Once discovered, an illicit Twitter account is easy to foil. But controlling the general trade is another matter entirely. The malefactors can be difficult to locate and prosecute, and their operations are global in scope. Moreover, the sheer volume of their business is daunting.
To do harm—which is to say, to do good as a peddler of bogus Twitter accounts—you need to deal in bulk. “We’re talking millions of accounts,” says Grier. “They’re a commodity, a fundamental resource.”
Once fake accounts are identified, he adds, “Twitter can roll them up without any difficulty. In fact, the accounts usually don’t last long before they’re discovered and neutralized. So the users need a constant supply of fresh fake accounts to stay in business.”
To maintain profitability, Twitter scammers stay topical. “It’s a percentages game, in that the more tweets you send, the better your chances of getting a hit and making a profit,” he says. “That said, they’re savvy enough to latch on to popular hashtags quickly. The trendier the tag, the more interest they can generate, and the more money they can make.”
The researchers also confirmed that the fake Twitter-account trade mimics many legitimate industries, in that there are a few voracious whales at the top, a moderate number of predatory fish of moderate size cruising at mid-depth, and a passel of bottom feeders subsisting on scraps.
“The 27 merchants we investigated handled between 10 to 20 percent of all the illegitimate accounts created on Twitter during our research period. Remember, that’s millions of accounts. That kind of surprised us,” says Grier. The study also found that those 27 merchants appeared to generate up to $459,000 for their efforts before Twitter, aided by the researchers, identified the offenders and shut them down.
So does the discovery that Twitter is a hotbed of cyber crime dissuade Grier from using social media? Naw.
“It hasn’t dampened my enthusiasm at all,” he says. “What’s going on with Twitter now is what went on with email. As users become familiar with the threats, I think it will be increasingly difficult to launch successful attacks. And I have to say that Twitter has been extremely responsive. They are quick to roll up fraudulent accounts, and they were very happy to engage with us and help us with our research.”